On Wed, Jul 13, 2005 at 07:38:11PM +0200, Martin Schulze wrote: > Marcin Owsiany wrote: > > During fixing the bug in linki.py with upstream author, we have found > > and fixed similar and other security-related bugs in other > > user-contributed scripts. > > > > 1.6rc2 is released, which fixes them all. I want to upload it to > > unstable, and backport the fixes to stable. However before that, I would > > like to know whether I should request another CAN ID for the newly > > discovered bugs? I mean - what is best for you - the security teams in > > terms of tracking the bug later? > > Having a CVE id before disclosure is always better.
However disclosure has already happened. > However, whether a new CVE id is warranted depends on the problem. > Without details I can't tell. Attached is an interdiff of a draft package for stable-security. As you can see, the modified files are: contrib/ekgh contrib/ekgnv.sh contrib/getekg.sh contrib/scripts/ekgbot-pre1.py contrib/scripts/linki.py the deal is that the initial advisory (http://www.zataz.net/adviso/ekg-06062005.txt) and CAN-2005-1916 are only concerned with contrib/scripts/linki.py, while other scripts in contrib/ also contained tempfile vulnerabilities, and contrib/scripts/ekgbot-pre1.py contained potential shell injection (I'm not entirely convinced that python's re.escape() protects between shell command injection, so I've written my own popen implemenetation which avoids shell altogether). When you decide whether it's worth to request a new CAN or not, I will prepare the final package. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
